chore(deps): update actions/checkout action to v6

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4.2.2 → v6.0.1
actions/checkout	action	major	v4 → v6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/checkout (actions/checkout)

v6.0.1

Compare Source

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in #​2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327
• Clarify v6 README by @​ericsciple in #​2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v4.3.1

Compare Source

• Port v6 cleanup to v4 by @​ericsciple in #​2305

v4.3.0

Compare Source

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Pull Request Review: Update actions/checkout to v6

Summary

This PR updates actions/checkout from v4.2.2/v4 to v6.0.1 across all GitHub Actions workflows. This is an automated dependency update by Renovate Bot.

Code Quality ✅

Positive aspects:

• Consistent use of commit SHA pinning for security (e.g., 8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1)
• All 13 workflow files updated systematically
• Follows security best practices by using SHA pins rather than version tags alone

Compatibility Analysis ✅

Major changes in v6.0.0:

1. Node.js 24 support - actions/checkout now runs on Node.js 24
2. Credential persistence changes - Credentials are now persisted to a separate file (.git/config.d/credentials.conf)
3. Worktree support - Enhanced support for git worktrees with persist-credentials and includeIf

Impact on this repository:

• ✅ No breaking changes expected - the v6 upgrade is primarily infrastructure improvements
• ✅ All workflows use standard checkout patterns without custom credential handling that would conflict
• ✅ The persist-credentials: false options in third_party/astrolabe workflows are compatible with v6

Security Considerations ✅

Improvements:

• The new credential persistence mechanism in v6 isolates credentials better using git's includeIf feature
• SHA pinning (8e8c483db84b4bee98b60c0593521ed34d9990e8) ensures reproducible builds and prevents tag hijacking

No new security concerns introduced.

Performance Considerations ✅

• No performance regressions expected
• Node.js 24 runtime may provide minor performance improvements

Test Coverage 🔍

Recommendation:

• The PR should be validated by ensuring CI workflows pass successfully
• Pay special attention to:
  • appstore-build-publish.yml - Multiple checkout operations (main repo + nextcloud/server)
  • astroglobe-ci.yml - All linting and build jobs
  • Third-party astrolabe workflows

Potential Issues ⚠️

Minor considerations:

1. Node.js 24 requirement - GitHub Actions runners must support Node.js 24

   • ✅ GitHub-hosted runners already support this
   • ⚠️ If using self-hosted runners, ensure they have Node.js 24 available

2. Git version compatibility - The new .git/config.d/ feature requires git 2.31+

   • ✅ GitHub-hosted runners use git 2.34+
   • ⚠️ Self-hosted runners should verify git version

Recommendations

1. ✅ Approve and merge - This is a low-risk dependency update
2. ✅ Monitor CI runs - Watch the first few CI runs after merge to ensure no unexpected issues
3. ⚠️ Consider testing locally - If the project uses local development with these workflows, test them before merging

Verdict: APPROVE ✅

This is a well-executed automated dependency update. The changes are:

• Consistent across all files
• Security-focused (SHA pinning)
• Low-risk (no breaking changes)
• Aligned with GitHub Actions best practices

The v6 upgrade provides security improvements and future-proofs the workflows for Node.js 24 support.

---

Additional Notes:

• The PR description from Renovate Bot includes comprehensive release notes
• Consider enabling Renovate's automerge for low-risk updates like this (if not already enabled)
• No code changes needed - this is purely a dependency version bump

[claude]

Code Review: actions/checkout v4 → v6 Upgrade

Summary

This PR updates actions/checkout from v4.2.2 to v6.0.1 across 13 workflow files. This is a major version upgrade with important architectural changes.

✅ What's Good

• Consistent updates: All 13 workflow files updated uniformly
• Security best practice: Uses pinned SHA commits (8e8c483db84b4bee98b60c0593521ed34d9990e8)
• Modern platform: Node.js 24 support provides latest features and security

⚠️ Important Considerations

1. Breaking Change: Credential Persistence

v6.0.0 major change: Credentials are now persisted to a separate file instead of being stored in .git/config.

Impact assessment:

• ✅ Most workflows use persist-credentials: false - should be unaffected
• ✅ appstore-build-publish.yml checks out multiple repos - new isolation improves security
• ⚠️ Any workflows relying on git credentials in .git/config may need updates (none identified)

2. Node.js 24 Requirement

• GitHub-hosted runners: ✅ Already support Node.js 24
• Self-hosted runners: ⚠️ Need to verify Node.js 24 is available

3. Testing Recommendation

The credential persistence change is significant. Recommend testing these workflows:

• appstore-build-publish.yml (multiple checkouts)
• Any workflows that use git operations after checkout

🔍 Files Changed

• 2 files in .github/workflows/
• 11 files in third_party/astrolabe/.github/workflows/

All changes are mechanical replacements (commit SHA + version tag).

📋 Recommendation

✅ Safe to merge with the following caveats:

1. Monitor the first few workflow runs after merge for any credential-related issues
2. If using self-hosted runners, verify Node.js 24 support first
3. The appstore-build-publish.yml workflow should be tested as it performs multiple checkouts

📚 References

• v6.0.0 Release Notes
• Main PR: #2286 - Persist creds to separate file

---

Review performed following repository's CLAUDE.md conventions